Canadian CEOs are among the most confident in their level of preparedness for a cyber threat, according to the results of our latest CEO Outlook, with 73% of CEOs saying they're well prepared for a future attack, compared to 58% globally. But with the rise of increasingly sophisticated threats coupled with a business environment that relies heavily on cloud-based applications and remote workforces, corporate leaders may have a false sense of how secure their operations really are.
Organizations that haven't already baked security into their architecture, operations and corporate culture are increasingly vulnerable to threats and attacks. But even if they're leveraging sophisticated defensive controls that use machine learning and artificial intelligence to detect suspicious and potentially harmful activities, cybercriminals are using similar techniques to bolster their attacks, too.
of Canadian CEOs say they are well prepared for a future cyberattack
A threat to growth
While Canadian CEOs are confident they're prepared for an attack, cyber security is considered the third greatest threat to growth, following emerging/disruptive technology and regulatory hurdles.
of businesses surveyed say they are only “somewhat confident” in their ability to detect and respond to a cyberattack
Our annual National Cyber Security Month poll, which surveyed 253 leaders at small and mid-sized Canadian companies, revealed that this optimism was even higher: 94% say they monitor their environments for potential cyberattacks. At the same time, 59% of those surveyed say they're only "somewhat confident" in their ability to detect and respond to a cyberattack—which demonstrates a disconnect.
Since the start of the pandemic, there's been a huge spike in ransomware, as well as phishing and social engineering attacks in general. Our cyber security poll revealed that 49% of SMBs successfully migrated some business processes into the cloud during the pandemic (as it was a top priority), while 40% have invested in or implemented additional access management protections to their data, including multi-factor authentication and password-less authentication.
"Security is still very much an afterthought for many organizations rather than by design. When you move to the cloud, embark on new technology or go through a transformational project, security needs to play a role right from the beginning."
— Hartaj Nijjar, Partner, Cyber Security, KPMG in Canada
But the pandemic has also shone a spotlight on third-party risk; CEOs aren't just concerned about protecting their own borders, but also understanding how they could be exposed if they're reliant on third parties that experience a cyber breach. At the same time, there's an increased need to partner with third parties to enable tech transformation and a digital-ready future.
The events of the past year and a half have shown that we need to focus on operational security—while policies and procedures are important, organizations need to back those up with secure technical level controls. They also need to develop and encourage a cyber security culture where all employees play a role in protecting the key assets of the organization.
"With the move to cloud and remote work, the attack surface is bigger and harder to secure, so you end up with vulnerabilities that are relatively easy to exploit. You become easy prey without knowing it, even if you've invested a lot in cyber security. That's why we're seeing a greater move towards endpoint security."
— Guillaume Clément, Partner, Cyber Security, KPMG in Canada
Building digital resilience
Building resilience requires a multi-layered approach, but our survey found that many of these 'layers' aren't considered a priority over the next three years. For example, only 23% of Canadian CEOs say they plan to embed security and resilience principles into the design of future systems and services.
Only half of the large organizations surveyed plan to focus on the security and resilience of their supply chains and supplier ecosystem over the next three years. In the same vein, only 44% of leaders say they will establish a strong digital and cyber risk culture in their organization championed by senior leaders and only 37% say they're investing to develop secure and resilient cloud-based technology infrastructure.
At the same time, 44% of small to medium-sized businesses say they haven't developed comprehensive playbooks or run through cyber simulations regularly—so if they're breached, they often discover they're not as well prepared as they'd thought. That's why security by design continues to be one of the most important strategic steps in building a resilient organization—baking in security from the beginning, into everything you do, from technology to operations to corporate culture.
agree that building a cyber security culture is just as important as building technological controls.
That also means taking a multi-layered approach to security, with a focus on endpoint protection and third-party supplier risk mitigation, as well as building a culture around cyber security. This includes employee training and education, as well as encouraging employees to take an active role in protecting the organization (such as reporting suspicious emails). More CEOs are recognizing the importance of this, with 83% agreeing that building a cyber security culture is just as important as building technological controls.
Although Canadian businesses have a way to go, we're seeing companies put aside the funds to build out more robust strategies. Indeed, 48% of SMBs plan to devote up to 20% of their tech budgets to cyber security over the next 12 months. And for a vast majority of CEOs, digital resiliency is top of mind, but it requires an ongoing commitment to a holistic security approach
of small to medium-sized businesses plan to devote up to 20% of their tech budgets to cyber security over the next 12 months
- Security by design: Rather than taking a defensive stance and building a 'perimeter' of security around your corporate assets, take a more holistic approach and build security into your enterprise architecture.
- Build a cyber security culture: Train employees at all levels on cyber security threats (such as how to spot a phishing email). Consider using positive reinforcement by recognizing employees when they spot and report suspicious incidents.
- Keep up with your due diligence: Continuously evaluate your organization's threat landscape and the controls you have in place to mitigate those threats. Don't just focus on typical threats; be sure to test your level of security preparedness against different types of threats.